We are still actively working on the spam issue.
Difference between revisions of "Unbound"
m (Wiki compliance) |
m (Full wiki compliance) |
||
Line 20: | Line 20: | ||
=== General === | === General === | ||
− | < | + | {{bc|<nowiki> |
server: | server: | ||
interface: 127.0.0.1 | interface: 127.0.0.1 | ||
Line 37: | Line 37: | ||
do-daemonize: yes | do-daemonize: yes | ||
logfile: "<where you want your log files to be, for example /var/log/unbound>" | logfile: "<where you want your log files to be, for example /var/log/unbound>" | ||
− | </ | + | </nowiki>}} |
=== Performance === | === Performance === | ||
− | < | + | {{bc|<nowiki> |
# use all threads | # use all threads | ||
num-threads: <number of threads> | num-threads: <number of threads> | ||
Line 65: | Line 65: | ||
# Faster UDP with multithreading (only on Linux). | # Faster UDP with multithreading (only on Linux). | ||
so-reuseport: yes | so-reuseport: yes | ||
− | </ | + | </nowiki>}} |
Note: If you have libevent, the outgoing-range can be increased to 4096 or 8192, for a slight performance gain. In which case, {{ic|num-queries-threads}} should be {{ic|<(outgoing-range/2)+50>}} to guarantee that every query can get a socket, and some to spare for queries-for-nameservers. | Note: If you have libevent, the outgoing-range can be increased to 4096 or 8192, for a slight performance gain. In which case, {{ic|num-queries-threads}} should be {{ic|<(outgoing-range/2)+50>}} to guarantee that every query can get a socket, and some to spare for queries-for-nameservers. | ||
=== Security === | === Security === | ||
− | < | + | {{bc|<nowiki> |
hide-identity: yes | hide-identity: yes | ||
hide-version: yes | hide-version: yes | ||
Line 82: | Line 82: | ||
# enables support for DNSSEC(!) | # enables support for DNSSEC(!) | ||
auto-trust-anchor-file: "<path to your root.key file, whose location should ideally be inside the unbound folder. Generate it using 'sudo unbound-anchor -a '/desired/path/to/root.key' as root>" | auto-trust-anchor-file: "<path to your root.key file, whose location should ideally be inside the unbound folder. Generate it using 'sudo unbound-anchor -a '/desired/path/to/root.key' as root>" | ||
− | </ | + | </nowiki>}} |
'''Security consideration''': it is best to use an extra user to run it (new group as well), with no privileges, and no home folder. | '''Security consideration''': it is best to use an extra user to run it (new group as well), with no privileges, and no home folder. | ||
=== with DNSCrypt === | === with DNSCrypt === | ||
− | < | + | {{bc|<nowiki> |
# this is necessary for the local host, in this case DNSCrypt, to be used to send queries | # this is necessary for the local host, in this case DNSCrypt, to be used to send queries | ||
do-not-query-localhost: no | do-not-query-localhost: no | ||
Line 94: | Line 94: | ||
# 127.0.0.1 is DNSCrypt's --local-address; 40 is the port DNSCrypt is using, which is probably either 40 or 53 | # 127.0.0.1 is DNSCrypt's --local-address; 40 is the port DNSCrypt is using, which is probably either 40 or 53 | ||
forward-addr: 127.0.0.1@40 | forward-addr: 127.0.0.1@40 | ||
− | </ | + | </nowiki>}} |
== Additional considerations == | == Additional considerations == | ||
− | It is possible to | + | It is possible to sandbo{{bc|<nowiki>x Unbound and even recommended, amongst the considerations already highlighted in this article (separate user with no home directory)—but you may only do one! |
To do this, simply edit your systemd/openrc scripts by installing firejail and adding the prefix 'firejail' before unbound. Firejail comes bundled with a profile for Unbound and many more, which you can analyse, and even edit, by issuing {{ic|vim /etc/firejail}} | To do this, simply edit your systemd/openrc scripts by installing firejail and adding the prefix 'firejail' before unbound. Firejail comes bundled with a profile for Unbound and many more, which you can analyse, and even edit, by issuing {{ic|vim /etc/firejail}} |
Revision as of 18:48, 16 January 2016
Unbound is a validating, recursive, and caching DNS server. It is quite useful for enforcing DNSSEC and caching DNS queries. Best used in conjunction with DNSCrypt.
Contents
Installation
Unix-like
Install it from your distro's repository, or download it from here.
Windows
Windows children may download it from the official page.
What to expect
There are numerous advantages to having a DNS server like Unbound, most of which can be summed up in a few short sentences:
- Enforces DNSSEC;
- Reduces privacy exposure by caching DNS queries;
- Consequentially, decreases DNS look up latency if the DNS query has already been cached;
- Hardens DNS queries.
Configuration
This is how a proper unbound.conf file ought to look like: unbound.conf (do not copy paste this unless your CPU has 4 threads, you're using Linux, and you have libevent).
General
server: interface: 127.0.0.1 # using zero means to listen on _all_ interfaces, but unsupported on some systems # interface 0.0.0.0 # interface ::0 #IPv6 access-control: <YOUR ROUTER'S IP Range, for example 192.168.1.1>/16 allow access-control: ::1 allow #IPv6 localhost # only use access-control if you want to stray away from the default, in which only the localhost is allowed, and the rest is refused verbosity: 1 port: 53 do-ip4: yes do-ip6: <yes, if your ISP/router supports it> do-udp: yes do-tcp: yes do-daemonize: yes logfile: "<where you want your log files to be, for example /var/log/unbound>"
Performance
# use all threads num-threads: <number of threads> # 2^{number_of_threads} msg-cache-slabs: <same> rrset-cache-slabs: <same> infra-cache-slabs: <same> key-cache-slabs: <same> # more cache memory rrset-cache-size: 100m msg-cache-size: <rrset-cache-size/2> # more outgoing connections # depends on number of threads outgoing-range: <(1024/threads)-50> num-queries-per-thread: <(1024/threads)/2> # Larger socket buffer so-rcvbuf: 4m so-sndbuf: 4m # Faster UDP with multithreading (only on Linux). so-reuseport: yes
Note: If you have libevent, the outgoing-range can be increased to 4096 or 8192, for a slight performance gain. In which case, num-queries-threads
should be <(outgoing-range/2)+50>
to guarantee that every query can get a socket, and some to spare for queries-for-nameservers.
Security
hide-identity: yes hide-version: yes harden-short-bufsize: yes harden-large-queries: yes harden-glue: yes harden-dnssec-stripped: yes harden-below-nxdomain: yes harden-referral-path: yes use-caps-for-id: yes # enables support for DNSSEC(!) auto-trust-anchor-file: "<path to your root.key file, whose location should ideally be inside the unbound folder. Generate it using 'sudo unbound-anchor -a '/desired/path/to/root.key' as root>"
Security consideration: it is best to use an extra user to run it (new group as well), with no privileges, and no home folder.
with DNSCrypt
# this is necessary for the local host, in this case DNSCrypt, to be used to send queries do-not-query-localhost: no forward-zone: name: "." # 127.0.0.1 is DNSCrypt's --local-address; 40 is the port DNSCrypt is using, which is probably either 40 or 53 forward-addr: 127.0.0.1@40
Additional considerations
It is possible to sandbo{{bc|<nowiki>x Unbound and even recommended, amongst the considerations already highlighted in this article (separate user with no home directory)—but you may only do one!
To do this, simply edit your systemd/openrc scripts by installing firejail and adding the prefix 'firejail' before unbound. Firejail comes bundled with a profile for Unbound and many more, which you can analyse, and even edit, by issuing vim /etc/firejail
Troubleshooting
The log file will most definitely wield the answer to your woes. In most cases, the problem will lie in either not setting the path to the root.key file right, setting the forward-address to the wrong port, or a port that's already being used.
Example of a log file, where the path to the root-anchors file was deliberately wrong (or, in my case, didn't belong to the right user): unbound.log